An (extra)ordinary decision: the U.S. Microsoft Case

An (extra)ordinary decision: the U.S. Microsoft Case

di Rubén Cano Pérez

This Articles has the purpose to analyse and put some light on the long awaited US Supreme Court Microsoft case Decision.

As technology evolves, jurisdiction problems arise. Regardless of the juris-dictioapproach adopted, there is a lesson to be learned from internet ubiquity: the internet is (yet) ownerless. The classic souverainetédefinition conceived by Bodin, Hobbes or Rousseau, upon which the international jurisdictional system as it is known today, has been built, simply does not fit when it comes to the network of networks.

Two of the relevant factors underlying pertinent jurisdictional rules are becoming decontextualized. Firstly, the traditional dichotomy among public and private matters and its distinction is becoming more and more blurred. Secondly, the applicability of the right to enforce rules has completely changed. Developing the last statement, traditionally adjudicative and legislative jurisdiction had an extra-territorial reach if the concerned State considered, through its courts or parliament, that a particular case or subject-matter felt within its sovereignty. On the contrary, enforcement jurisdiction has been always understood as territorial: How a State is going to send the police to another third State’s territory?

Right to prescribe laws and right to adjudicate disputes have changed, but enforcement has been modified upside down. Nowadays, technology allows a State to collect data located in another State even without its knowledge (presupposing that location matters) and a webpage may be blocked from a territory even if the company’s headquarters are located overseas, therefore, challenging enforcement right based on the territoriality principle -e.g. Yahoo! Inc. v. LICRA case, Tribunal de grande instance (T.G.I.) (ordinary court of original jurisdiction) Paris, May 22, 2000 and November 22, 2000, No RG:00/0538.

1. PART I: MICROSOFT CORP. V UNITED STATES

1.1. Brief Comment

The issue has been very much discussed causing rivers of ink to flow. Here, it suffices to say that the U.S. government served a warrant to Microsoft in order to collect the content of concrete emails. Microsoft, only provided user data hosted on U.S. servers arguing that the emails’ content was hosted on Ireland. In different procedural steps, and in the decision of the US Court of Appel for the Second Circuit, several interesting features were disregarded. Decisions discuss alternatively privacy and international reach of US law matters, focussing on the latter, but presume data territoriality. According to Microsoft, the warrant has a territorial-based approach, in which the relevant link for enforcement is the one of data location; under US government’s perspective, the order has a subpoena nature, being therefore relevant another territorial link: Microsoft’s headquarters [[1]].

In other words, data particularities and the fact that the data is not from Microsoft (as such), were not evaluated. The concrete decision concludes that “the Congress did not intend SCA’s warrant provisions to apply extraterritorially”. Even if, under my view, the result intended to obtain is correct, the ruling does not give a clear test to address similar cases or a clear solution for the government to gather those data, stressing data characteristics.

Beyond the court’s outcome, the case has two underlying jurisdictional questions: i) territorially limited interpretation of the Fourth Amendment, which by restricting its application to U.S. citizens and citizens with substantial connection to the U.S., leaves unprotected most part of foreigners’ privacy rights; ii) geographic extension of the warrant’s enforcement, by interpreting where the seizure or data collection is being made [[2]]. Therefore, on the one hand, geographic extension of the warrant, and on the other hand interpretation of the warrant’s application limitations under the U.S. Constitution.

Judge Lynch, in the concurring opinion of the judgement, states that he does not appreciate individual privacy threatened as defined in the Fourth Amendment. This is true bearing in mind given interpretation of the Fourth Amendment warrant’s enforcement limitation, but if another, more reasonable interpretation, is adopted, the result would be different. In any case, it is not arguable that privacy provisions application through the trigger of the Fourth Amendment depends on whether the individual whose data is collected has sufficient links with the U.S. Sadly, the court does not have the possibility to evaluate which is the data holder nationality in order to know which would be his privacy reasonable expectations, even though Judge Lynch and the decision, declare that nationality could be an important factor in order to decide territorial or extraterritorial application of US law[[3]].

Returning to the main problematic, leaving aside warrant’s enforcement limitation under the U.S. Constitution, the decision of where the State enforcement action takes place is extremely difficult: The place where data is stored? The place where data is accessed? The place where the intermediary has its headquarters?

Again, a territorial-based approach which assumes two features: i) objects location is stable and identifiable; ii) previous location matters. As will be explained, data characteristics challenge this territorial approach presumptions.

1.2. Why is Data Special

Data is special because of its mobility, accessibility, and control from different points, regardless of the server location. Commentators as Daskal suggest that main characteristics are mobility, data divisibility and data partitioning, location independence, and data intermingling [[4]].

Characteristics of data destroy territorial presumptions particularly in two aspects: i) independence between location, accessibility, mobility and unpredictable ways to transfer it, make data location an arbitrary place to determine jurisdiction; ii) linked with the latter, physical disconnect between servers and users, make difficult to give territorial jurisdiction and apply law to a user that is not often aware where data is stored or moved.

This entails neither Microsoft or U.S. territorial approaches are suitable. If Microsoft approach is adopted, law enforcement would depend on where the intermediary wants to locate the server. This would foster imposition by governments of data location obligations harming internet as a global network. If U.S. approach is chosen, the result is borderless law enforcement, breaking all possible internet and international commitments, and setting an international dangerous precedent [[5]]. In this line, other states would adopt the same position and countries as Russia or China would access data from U.S. citizens because, no territorial action is needed in order execute the warrant. Finally, clashes of sovereignty would lead to “choice of law” problems, as has been explained with respect to the Fourth Amendment and difference between privacy protection.

1.3. Is there a solution?

Extraterritoriality is clear, but its application to data collection, is far from being likewise. Ireland in its Amici Curiae Brief suggested jurisdiction competence based on the non-intervention principle. But Ireland, providing solutions, has been supportive to reinforce MLTAs and international cooperation.

There are few commentators contributing answers, but the vast majority accept the need for new cross-border mechanisms where privacy and sovereignty respect go hand-in-hand. They suggest several options, the majority of them coming from a cooperation perspective: i) strengthen the MLAT system; ii) strengthen of the MLAT, but allowing exceptional situations where data may have an extraterritorial jurisdiction (e.g. national security); iii) Acts that allow extraterritorial reach of warrants only in the case of U.S. citizens or nationals, which could also lead to sovereignty clashes; iv) international substantial convergence in this matter for warrants issuance and reach of warrants regardless of the place where data is located.

Reaffirming the need of other mechanisms, even the court stated that ‘Congress, rather than the Courts, has the facilities necessary to make policy decisions in the delicate field of international relations; data lies within the jurisdiction of a foreign sovereignty’. In my opinion, the court produced the right outcome, but did not want to enter deeply into problems that, judges understand, must not be solved by courts. Perhaps the right solution is to reach international informal agreements with respect to this issue and strengthen MLATs until a substantial basic treaty is adopted, avoiding which is inevitably a jurisdictions conflict. In this jurisdiction agreements, linking and determining factors could be: i) data holder nationality, domicile and establishment in order to determine privacy expectations; ii) type of data, meaning personal or non-personal data; iii) type of warrant; iv) nature of the underlying legal issue that the warrant is attempting to solve; v) whether data is from an individual/company stored by an intermediary or, on the contrary is stored by the individual/company or subsidiaries as such.

Hopefully, U.S. Supreme Court will approach this matter differently than lower courts. An unfortunate decision would imply that warrant has extraterritorial effects to seize data from a citizen who is not covered by the Fourth Amendment reasonableness limits, which would be a complete disregard of all jurisdictional/privacy principles, especially when data holder nationality, domicile or characteristics are not taken into consideration.

2. WHAT’S NEXT?

All in all, in the Microsoft case, the extension of jurisdiction would be astonishing (independently from what is the chosen link for this jurisdiction) when there are mechanisms as the Budapest Convention on Cybercrime, MLTAs and FISA (under which warrants are not required to carry out foreign surveillance). With current jurisprudence and tools at our disposal (and without willingness to understand that data is different), the presumption against extraterritoriality is the correct approach, following the Charming Betsy doctrine in order to avoid conflict with other nations laws [[6]], bearing in mind the sensitive divergences between European Union and US regarding data and privacy protection. In addition, there are pieces of legislation as the Art. 8 of the Montevideo Convention, affirming the principle of non-intervention, which has been even recognised by the International Court of Justice [[7]].

In sum, regarding Microsoft case, court or parties’ approaches are not in line with data characteristics and the internet, but with current jurisprudence and international legislation, to assert capability for the US to enforce a warrant like this overseas, could have dramatic consequences.

Bibliography

Legal texts and other official documents

Regulation (EU) 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Regulation (EU) 2015/2424 of the European Parliament and of the Council of 16 December 2015 amending Council Regulation (EC) No 207/2009 on the Community trade mark and Commission Regulation (EC) No 2868/95 implementing Council Regulation (EC) No 40/94 on the Community trade mark, and repealing Commission Regulation (EC) No 2869/95 on the fees payable to the Office for Harmonization in the Internal Market (Trade Marks and Designs). Available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R2424&from=EN.

[1]U.S. government bases its argument mostly on the Marc Rich case, where the Court permitted a grand jury subpoena issued in a tax evasion investigation, collecting overseas information of a bank, but not information that the firm had from third parties as it happens with Microsoft.